[转]NET Core中实现一个Token base的身份认证
本文转自:http://www.cnblogs.com/Leo_wl/p/6077203.html
注:本文提到的代码示例下载地址> How to achieve a bearer token authentication and authorization in ASP.NET Core
在ASP.NET Core中实现一个Token base的身份认证
以前在web端的身份认证都是基于Cookie | Session的身份认证, 在没有更多的终端出现之前,这样做也没有什么问题, 但在Web API时代,你所需要面对的就不止是浏览器了,还有各种客户端,这样就有了一个问题,这些客户端是不知道cookie是什么鬼的。 (cookie其实是浏览器搞出来的小猫腻,用来保持会话的,但HTTP本身是无状态的, 各种客户端能提供的无非也就是HTTP操作的API)
而基于Token的身份认证就是应对这种变化而生的,它更开放,安全性也更高。
基于Token的身份认证有很多种实现方式,但我们这里只使用微软提供的API。
接下来的例子将带领大家完成一个使用微软JwtSecurityTokenHandler完成一个基于beare token的身份认证。
注意:这种文章属于Step by step教程,跟着做才不至于看晕,下载完整代码分析代码结构才有意义。
前期准备
- 推荐使用VS2015 Update3作为你的IDE,下载地址:www.visualstudio.com
- 你需要安装.NET Core的运行环境以及开发工具,这里提供VS版:www.microsoft.com/net/core
创建项目
在VS中新建项目,项目类型选择ASP.NET Core Web Application(.NET Core), 输入项目名称为CSTokenBaseAuth
Coding
创建一些辅助类
在项目根目录下创建一个文件夹Auth,并添加RSAKeyHelper.cs以及TokenAuthOption.cs两个文件
在RSAKeyHelper.cs中
- using System.Security.Cryptography;
- namespace CSTokenBaseAuth.Auth
- {
- public class RSAKeyHelper
- {
- public static RSAParameters GenerateKey()
- {
- using (var key = new RSACryptoServiceProvider(2048))
- {
- return key.ExportParameters(true);
- }
- }
- }
- }
在TokenAuthOption.cs中
- using System;
- using Microsoft.IdentityModel.Tokens;
- namespace CSTokenBaseAuth.Auth
- {
- public class TokenAuthOption
- {
- public static string Audience { get; } = "ExampleAudience";
- public static string Issuer { get; } = "ExampleIssuer";
- public static RsaSecurityKey Key { get; } = new RsaSecurityKey(RSAKeyHelper.GenerateKey());
- public static SigningCredentials SigningCredentials { get; } = new SigningCredentials(Key, SecurityAlgorithms.RsaSha256Signature);
- public static TimeSpan ExpiresSpan { get; } = TimeSpan.FromMinutes(20);
- }
- }
- using System;
Startup.cs
在ConfigureServices中添加如下代码:
- services.AddAuthorization(auth =>
- {
- auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
- .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
- .RequireAuthenticatedUser().Build());
- });
完整的代码应该是这样
- public void ConfigureServices(IServiceCollection services)
- {
- // Add framework services.
- services.AddApplicationInsightsTelemetry(Configuration);
- // Enable the use of an [Authorize("Bearer")] attribute on methods and classes to protect.
- services.AddAuthorization(auth =>
- {
- auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
- .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
- .RequireAuthenticatedUser().Build());
- });
- services.AddMvc();
- }
在Configure方法中添加如下代码
- app.UseExceptionHandler(appBuilder => {
- appBuilder.Use(async (context, next) => {
- var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature;
- //when authorization has failed, should retrun a json message to client
- if (error != null && error.Error is SecurityTokenExpiredException)
- {
- context.Response.StatusCode = 401;
- context.Response.ContentType = "application/json";
- await context.Response.WriteAsync(JsonConvert.SerializeObject(
- new { authenticated = false, tokenExpired = true }
- ));
- }
- //when orther error, retrun a error message json to client
- else if (error != null && error.Error != null)
- {
- context.Response.StatusCode = 500;
- context.Response.ContentType = "application/json";
- await context.Response.WriteAsync(JsonConvert.SerializeObject(
- new { success = false, error = error.Error.Message }
- ));
- }
- //when no error, do next.
- else await next();
- });
- });
这段代码主要是Handle Error用的,比如当身份认证失败的时候会抛出异常,而这里就是处理这个异常的。
接下来在相同的方法中添加如下代码,
- app.UseExceptionHandler(appBuilder => {
- appBuilder.Use(async (context, next) => {
- var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature;
- //when authorization has failed, should retrun a json message to client
- if (error != null && error.Error is SecurityTokenExpiredException)
- {
- context.Response.StatusCode = 401;
- context.Response.ContentType = "application/json";
- await context.Response.WriteAsync(JsonConvert.SerializeObject(
- new { authenticated = false, tokenExpired = true }
- ));
- }
- //when orther error, retrun a error message json to client
- else if (error != null && error.Error != null)
- {
- context.Response.StatusCode = 500;
- context.Response.ContentType = "application/json";
- await context.Response.WriteAsync(JsonConvert.SerializeObject(
- new { success = false, error = error.Error.Message }
- ));
- }
- //when no error, do next.
- else await next();
- });
- });
应用JwtBearerAuthentication
- app.UseJwtBearerAuthentication(new JwtBearerOptions {
- TokenValidationParameters = new TokenValidationParameters {
- IssuerSigningKey = TokenAuthOption.Key,
- ValidAudience = TokenAuthOption.Audience,
- ValidIssuer = TokenAuthOption.Issuer,
- ValidateIssuerSigningKey = true,
- ValidateLifetime = true,
- ClockSkew = TimeSpan.FromMinutes(0)
- }
- });
完整的代码应该是这样
- using System;
- using Microsoft.AspNetCore.Builder;
- using Microsoft.AspNetCore.Hosting;
- using Microsoft.Extensions.Configuration;
- using Microsoft.Extensions.DependencyInjection;
- using Microsoft.Extensions.Logging;
- using Microsoft.AspNetCore.Authorization;
- using Microsoft.AspNetCore.Authentication.JwtBearer;
- using CSTokenBaseAuth.Auth;
- using Microsoft.AspNetCore.Diagnostics;
- using Microsoft.IdentityModel.Tokens;
- using Microsoft.AspNetCore.Http;
- using Newtonsoft.Json;
- namespace CSTokenBaseAuth
- {
- public class Startup
- {
- public Startup(IHostingEnvironment env)
- {
- var builder = new ConfigurationBuilder()
- .SetBasePath(env.ContentRootPath)
- .AddJsonFile("appsettings.json", optional: true, reloadOnChange: true)
- .AddJsonFile($"appsettings.{env.EnvironmentName}.json", optional: true);
- if (env.IsEnvironment("Development"))
- {
- // This will push telemetry data through Application Insights pipeline faster, allowing you to view results immediately.
- builder.AddApplicationInsightsSettings(developerMode: true);
- }
- builder.AddEnvironmentVariables();
- Configuration = builder.Build();
- }
- public IConfigurationRoot Configuration { get; }
- // This method gets called by the runtime. Use this method to add services to the container
- public void ConfigureServices(IServiceCollection services)
- {
- // Add framework services.
- services.AddApplicationInsightsTelemetry(Configuration);
- // Enable the use of an [Authorize("Bearer")] attribute on methods and classes to protect.
- services.AddAuthorization(auth =>
- {
- auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
- .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
- .RequireAuthenticatedUser().Build());
- });
- services.AddMvc();
- }
- // This method gets called by the runtime. Use this method to configure the HTTP request pipeline
- public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
- {
- loggerFactory.AddConsole(Configuration.GetSection("Logging"));
- loggerFactory.AddDebug();
- app.UseApplicationInsightsRequestTelemetry();
- app.UseApplicationInsightsExceptionTelemetry();
- #region Handle Exception
- app.UseExceptionHandler(appBuilder => {
- appBuilder.Use(async (context, next) => {
- var error = context.Features[typeof(IExceptionHandlerFeature)] as IExceptionHandlerFeature;
- //when authorization has failed, should retrun a json message to client
- if (error != null && error.Error is SecurityTokenExpiredException)
- {
- context.Response.StatusCode = 401;
- context.Response.ContentType = "application/json";
- await context.Response.WriteAsync(JsonConvert.SerializeObject(
- new { authenticated = false, tokenExpired = true }
- ));
- }
- //when orther error, retrun a error message json to client
- else if (error != null && error.Error != null)
- {
- context.Response.StatusCode = 500;
- context.Response.ContentType = "application/json";
- await context.Response.WriteAsync(JsonConvert.SerializeObject(
- new { success = false, error = error.Error.Message }
- ));
- }
- //when no error, do next.
- else await next();
- });
- });
- #endregion
- #region UseJwtBearerAuthentication
- app.UseJwtBearerAuthentication(new JwtBearerOptions {
- TokenValidationParameters = new TokenValidationParameters {
- IssuerSigningKey = TokenAuthOption.Key,
- ValidAudience = TokenAuthOption.Audience,
- ValidIssuer = TokenAuthOption.Issuer,
- ValidateIssuerSigningKey = true,
- ValidateLifetime = true,
- ClockSkew = TimeSpan.FromMinutes(0)
- }
- });
- #endregion
- app.UseMvc(routes =>
- {
- routes.MapRoute(
- name: "default",
- template: "{controller=Login}/{action=Index}");
- });
- }
- }
- }
- services.AddAuthorization(auth =>
在Controllers中新建一个Web API Controller Class,命名为TokenAuthController.cs。我们将在这里完成登录授权
在同文件下添加两个类,分别用来模拟用户模型,以及用户存储,代码应该是这样
- public class User
- {
- public Guid ID { get; set; }
- public string Username { get; set; }
- public string Password { get; set; }
- }
- public static class UserStorage
- {
- public static List<User> Users { get; set; } = new List<User> {
- new User {ID=Guid.NewGuid(),Username="user1",Password = "user1psd" },
- new User {ID=Guid.NewGuid(),Username="user2",Password = "user2psd" },
- new User {ID=Guid.NewGuid(),Username="user3",Password = "user3psd" }
- };
- }
接下来在TokenAuthController.cs中添加如下方法
- private string GenerateToken(User user, DateTime expires)
- {
- var handler = new JwtSecurityTokenHandler();
- ClaimsIdentity identity = new ClaimsIdentity(
- new GenericIdentity(user.Username, "TokenAuth"),
- new[] {
- new Claim("ID", user.ID.ToString())
- }
- );
- var securityToken = handler.CreateToken(new SecurityTokenDescriptor
- {
- Issuer = TokenAuthOption.Issuer,
- Audience = TokenAuthOption.Audience,
- SigningCredentials = TokenAuthOption.SigningCredentials,
- Subject = identity,
- Expires = expires
- });
- return handler.WriteToken(securityToken);
- }
该方法仅仅只是生成一个Auth Token,接下来我们来添加另外一个方法来调用它
在相同文件中添加如下代码
- [HttpPost]
- public string GetAuthToken(User user)
- {
- var existUser = UserStorage.Users.FirstOrDefault(u => u.Username == user.Username && u.Password == user.Password);
- if (existUser != null)
- {
- var requestAt = DateTime.Now;
- var expiresIn = requestAt + TokenAuthOption.ExpiresSpan;
- var token = GenerateToken(existUser, expiresIn);
- return JsonConvert.SerializeObject(new {
- stateCode = 1,
- requertAt = requestAt,
- expiresIn = TokenAuthOption.ExpiresSpan.TotalSeconds,
- accessToken = token
- });
- }
- else
- {
- return JsonConvert.SerializeObject(new { stateCode = -1, errors = "Username or password is invalid" });
- }
- }
该文件完整的代码应该是这样
- using System;
- using System.Collections.Generic;
- using System.Linq;
- using System.Threading.Tasks;
- using Microsoft.AspNetCore.Mvc;
- using Newtonsoft.Json;
- using System.IdentityModel.Tokens.Jwt;
- using System.Security.Claims;
- using System.Security.Principal;
- using Microsoft.IdentityModel.Tokens;
- using CSTokenBaseAuth.Auth;
- namespace CSTokenBaseAuth.Controllers
- {
- [Route("api/[controller]")]
- public class TokenAuthController : Controller
- {
- [HttpPost]
- public string GetAuthToken(User user)
- {
- var existUser = UserStorage.Users.FirstOrDefault(u => u.Username == user.Username && u.Password == user.Password);
- if (existUser != null)
- {
- var requestAt = DateTime.Now;
- var expiresIn = requestAt + TokenAuthOption.ExpiresSpan;
- var token = GenerateToken(existUser, expiresIn);
- return JsonConvert.SerializeObject(new {
- stateCode = 1,
- requertAt = requestAt,
- expiresIn = TokenAuthOption.ExpiresSpan.TotalSeconds,
- accessToken = token
- });
- }
- else
- {
- return JsonConvert.SerializeObject(new { stateCode = -1, errors = "Username or password is invalid" });
- }
- }
- private string GenerateToken(User user, DateTime expires)
- {
- var handler = new JwtSecurityTokenHandler();
- ClaimsIdentity identity = new ClaimsIdentity(
- new GenericIdentity(user.Username, "TokenAuth"),
- new[] {
- new Claim("ID", user.ID.ToString())
- }
- );
- var securityToken = handler.CreateToken(new SecurityTokenDescriptor
- {
- Issuer = TokenAuthOption.Issuer,
- Audience = TokenAuthOption.Audience,
- SigningCredentials = TokenAuthOption.SigningCredentials,
- Subject = identity,
- Expires = expires
- });
- return handler.WriteToken(securityToken);
- }
- }
- public class User
- {
- public Guid ID { get; set; }
- public string Username { get; set; }
- public string Password { get; set; }
- }
- public static class UserStorage
- {
- public static List<User> Users { get; set; } = new List<User> {
- new User {ID=Guid.NewGuid(),Username="user1",Password = "user1psd" },
- new User {ID=Guid.NewGuid(),Username="user2",Password = "user2psd" },
- new User {ID=Guid.NewGuid(),Username="user3",Password = "user3psd" }
- };
- }
- }
- public class User
接下来我们来完成授权验证部分
在Controllers中新建一个Web API Controller Class,命名为ValuesController.cs
在其中添加如下代码
- public string Get()
- {
- var claimsIdentity = User.Identity as ClaimsIdentity;
- var id = claimsIdentity.Claims.FirstOrDefault(c => c.Type == "ID").Value;
- return $"Hello! {HttpContext.User.Identity.Name}, your ID is:{id}";
- }
为方法添加装饰属性
- [HttpGet]
- [Authorize("Bearer")]
完整的文件代码应该是这样
- using System.Linq;
- using Microsoft.AspNetCore.Mvc;
- using Microsoft.AspNetCore.Authorization;
- using System.Security.Claims;
- namespace CSTokenBaseAuth.Controllers
- {
- [Route("api/[controller]")]
- public class ValuesController : Controller
- {
- [HttpGet]
- [Authorize("Bearer")]
- public string Get()
- {
- var claimsIdentity = User.Identity as ClaimsIdentity;
- var id = claimsIdentity.Claims.FirstOrDefault(c => c.Type == "ID").Value;
- return $"Hello! {HttpContext.User.Identity.Name}, your ID is:{id}";
- }
- }
- }
- public string Get()
最后让我们来添加视图
在Controllers中新建一个Web Controller Class,命名为LoginController.cs
其中的代码应该是这样
- using Microsoft.AspNetCore.Mvc;
- namespace CSTokenBaseAuth.Controllers
- {
- [Route("[controller]/[action]")]
- public class LoginController : Controller
- {
- public IActionResult Index()
- {
- return View();
- }
- }
- }
在项目Views目录下新建一个名为Login的目录,并在其中新建一个Index.cshtml文件。
代码应该是这个样子
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <title></title>
- </head>
- <body>
- <button id="getToken">getToken</button>
- <button id="requestAPI">requestAPI</button>
- <script src="https://code.jquery.com/jquery-3.1.1.min.js"></script>
- <script>
- $(function () {
- var accessToken = undefined;
- $("#getToken").click(function () {
- $.post(
- "/api/TokenAuth",
- { Username: "user1", Password: "user1psd" },
- function (data) {
- console.log(data);
- if (data.stateCode == 1)
- {
- accessToken = data.accessToken;
- $.ajaxSetup({
- headers: { "Authorization": "Bearer " + accessToken }
- });
- }
- },
- "json"
- );
- })
- $("#requestAPI").click(function () {
- $.get("/api/Values", {}, function (data) {
- alert(data);
- }, "text");
- })
- })
- </script>
- </body>
- </html>
最后:完整的代码Sample以及运行手册,请访问:How to achieve a bearer token authentication and authorization in ASP.NET Core
[转]NET Core中实现一个Token base的身份认证的更多相关文章
- 在ASP.NET Core中实现一个Token base的身份认证
注:本文提到的代码示例下载地址> How to achieve a bearer token authentication and authorization in ASP.NET Core 在 ...
- NET Core中实现一个Token base的身份认证
NET Core中实现一个Token base的身份认证 注:本文提到的代码示例下载地址> How to achieve a bearer token authentication and au ...
- 如何在ASP.NET Core中实现一个基础的身份认证
注:本文提到的代码示例下载地址> How to achieve a basic authorization in ASP.NET Core 如何在ASP.NET Core中实现一个基础的身份认证 ...
- [转]如何在ASP.NET Core中实现一个基础的身份认证
本文转自:http://www.cnblogs.com/onecodeonescript/p/6015512.html 注:本文提到的代码示例下载地址> How to achieve a bas ...
- ExpandoObject与DynamicObject的使用 RabbitMQ与.net core(一)安装 RabbitMQ与.net core(二)Producer与Exchange ASP.NET Core 2.1 : 十五.图解路由(2.1 or earler) .NET Core中的一个接口多种实现的依赖注入与动态选择看这篇就够了
ExpandoObject与DynamicObject的使用 using ImpromptuInterface; using System; using System.Dynamic; names ...
- 在.NET Core中处理一个接口多个不同实现的依赖注入问题
前言 近段时间在准备公司的技术分享,所以这段时间将大部分时间放在准备分享内容上去了.博客也就停了一下下. 在.NET Core中处理依赖注入问题时,往往是定义好了一个操作规范的接口,会有N多个基于不同 ...
- .NET Core中的一个接口多种实现的依赖注入与动态选择看这篇就够了
最近有个需求就是一个抽象仓储层接口方法需要SqlServer以及Oracle两种实现方式,为了灵活我在依赖注入的时候把这两种实现都给注入进了依赖注入容器中,但是在服务调用的时候总是获取到最后注入的那个 ...
- 玩一玩基于Token的 自定义身份认证+权限管理
使用基于 Token 的身份验证方法,在服务端不需要存储用户的登录记录.大概的流程是这样的: 客户端使用用户名跟密码请求登录 服务端收到请求,去验证用户名与密码 验证成功后,服务端会签发一个 Toke ...
- API网关设计(一)之Token多平台身份认证方案(转载)
原文:https://segmentfault.com/a/1190000018535570?utm_source=tag-newest 概述 今天咱们面对移动互联网的发展,系统一般是多个客户端对应一 ...
随机推荐
- SQL存储过程分页(通用的拼接SQL语句思路实现)
多表通用的SQL存储过程分页 案例一: USE [Community] GO /****** Object: StoredProcedure [dbo].[Common_PageList] Scrip ...
- combox
通过combox控件本身的item添加了选项后,该控件在启动后SelectedIndex默认值是-1,所以最好是在窗体加载的时候初始化城SelectedIndex=0 另外如果是窗体加载时item从数 ...
- 基于CkEditor实现.net在线开发之路(1)
我以前的公司使用office sharepoint designer为界面设计器,嵌套各种自定义控件,进行各种管理软件,工作流的开发,遇到比较复杂的逻辑,则采用本地写类库,生成DLL上传到服务器,通过 ...
- 一个简单的MVC实例及故障排除
Controller: public ActionResult Index() { string setting = "ApplicationServices"; var conn ...
- C#File类常用的文件操作方法(创建、移动、删除、复制等)
File类,是一个静态类,主要是来提供一些函数库用的.静态实用类,提供了很多静态的方法,支持对文件的基本操作,包括创建,拷贝,移动,删除和 打开一个文件. File类方法的参量很多时候都是路径path ...
- 增加线程异步发送消息的方法一(Thread)
@RequestMapping(value="order/updateOrder.do") public String updateOrder(HttpServletRequest ...
- PHP运行环境,服务器相关配置
1.在DOS命令窗口输入 mysql -hlocalhost -uroot -p回车 进入mysql数据库, 其中-h表示服务器名,localhost表示本地:-u为数据库用户名,root是mysql ...
- Code First :使用Entity. Framework编程(8) ----转发 收藏
第8章 Code First将走向哪里? So far, this book has covered all of the Code First components that reached the ...
- [deviceone开发]-利用do_ListView模拟单选功能
一.简介 这个是利用do_ListView组件实现多个选项里选择一项的功能,示例很简单,但是有助于理解复用机制,也可以直接参考使用.初学者推荐.二.效果图 三.相关下载 https://github. ...
- js => ES6一个新的函数写法
今天在网上参观到一个写法,返回字符串个个字母的个数 var arr='aaabbccaa'; var info = arr.split('').reduce((p, k) => (p[k]++ ...